Surge in Attacks on Surveillance Cameras Linked to Iranian Hackers

The proliferation of internet‑connected surveillance cameras has turned them into low‑hanging fruit for nation‑state actors, and the latest Check Point Research report confirms a sharp uptick in exploitation across the Middle East. By focusing on two Chinese manufacturers—Hikvision and Dahua—attackers can leverage known authentication bypass and remote‑code‑execution flaws to gain visual intelligence on battlefields. The campaign, which began in late February, aligns with a pattern of Iranian cyber doctrine that treats compromised webcams as forward‑looking sensors for missile‑strike assessment and target validation.

Timing analysis shows the scanning bursts coincide with high‑profile diplomatic and military moments: the brief closure of Iranian airspace in mid‑January, a U.S. Central Command visit to Israel, and public warnings of a broader conflict. The threat actors hide behind commercial VPN exit nodes such as Mullvad, ProtonVPN, Surfshark and NordVPN, obscuring their true origin while maintaining a resilient command‑and‑control layer. By routing traffic through these services, the group can pivot quickly, test exploits, and exfiltrate footage without exposing their infrastructure to direct attribution.

Defenders can blunt this vector by treating cameras as critical assets rather than peripheral devices. Removing WAN exposure, enforcing strong, unique credentials, and applying the latest firmware patches for CVE‑2021‑33044 and CVE‑2017‑7921 are essential first steps. Network segmentation—placing cameras on a dedicated VLAN—and continuous monitoring for anomalous logins or outbound connections provide early warning of compromise. As regional tensions persist, the ability to detect camera‑targeting activity may serve as a predictive indicator of imminent kinetic operations, underscoring the need for robust IoT security programs across both public and private sectors.